b'                        UNITED STATES DEPARTMENT OF AGRICULTURE\n                                    OFFICE OF INSPECTOR GENERAL\n\n                                         Washington D.C. 20250\n\n\n\n\nJuly 11, 2008\n\nREPLY TO\nATTN OF: 50501-9-FM\n\n\n\n\xe2\x80\x9cOIG Audit Report: Management and Security over USDA Wireless Connections\xe2\x80\x9d\n\nThis report evaluates security controls in place over the use of wireless technology connected to\nthe U.S. Department of Agriculture networks. Specifically, OIG reviewed the controls that the\nOffice of the Chief Information Officer (OCIO) and selected agencies had over wireless devices.\nWe determined that there had been limited planning, coordination, and/or oversight of agency\nwireless networks. As a result, OCIO could not ensure that wireless security management\nprocesses were integrated with agency strategic and operational planning processes, that wireless\ncommunications employed a streamlined configuration management, and/or that wireless\ntechnologies had been implemented with the appropriate security measures such as intrusion\ndetection and anti-virus services.\n\nDuring the review period, OIG stressed the importance of compliance in these areas with OCIO\nand the selected agencies. We also noted that OCIO had a new Chief Information Officer during\n2007 and several memos were issued clarifying the roles of OCIO and agencies in wireless\nsecurity. These actions have helped to strengthen controls over wireless security. However,\nuntil they are implemented Departmentwide, a material weakness will continue to exist. We\nrecommended that OCIO implement effective policies and procedures over wireless access\npoints, monitoring, physical security, and incident handling, and assume its role regarding\noversight and coordination of the USDA agencies. The agencies need to comply with applicable\nFederal and Departmental guidance and perform periodic scanning as required. OCIO concurred\nwith OIG\xe2\x80\x99s recommendations and has proposed additional corrective actions.\n\nThis report is not being publicly released due to the sensitive security information it contains.\n\x0c'